Token Impersonation From Nessus Credentialed Scan

In the above video I demonstrate how I'm able to get domain admin from token impersonation of a credentialed Nessus scan. I start by gaining access to the windows host via psexec with a local administrator account (simulating an attacker who gets a foot hold and then privilege escalation). While the Nessus is scanning the windows host, the incognito module of Metasploit is loaded and then tokens are listed. After impersonating the Domain Admin via the Nessus scan, one could take this attack further by accessing shares or by creating a new Domain Admin and logging into the Domain Controller.